Ah ok, I'll remove the apostrophe then. Updated, please review:
Title: Credentials API allows non-admin to list and retrieve all users credentials Reporter: Daniel 'f0o' Preussker Products: Keystone Affects: ==15.0.0, ==16.0.0 Description: Daniel 'f0o' Preussker reported a vulnerability in Keystone's list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could leak sign-on information for Time-based One Time Passwords (TOTP) or othewise. Deployments running keystone with enforce_scope set to false are affected. There will be a slight performance impact for the list credentials API once this issue is fixed. ** Summary changed: - Credentials API allows listing and retrieving of all users' credentials + Credentials API allows listing and retrieving of all users credentials -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855080 Title: Credentials API allows listing and retrieving of all users credentials To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1855080/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
